bltesar

thanks everyone for your help, but, unfortunately, it isn't working for images. if I put php files above the root directory or in a password protected folder, they can be executed from another directory using include() without being prompted for user/pass, just as hostfreak said and akitchin suggested.  But this approach does not work for images, whose source is defined within the HTML.

you can change the parameter for the duration of your script using session_set_cookie_params see http://us2.php.net/manual/en/function.session-set-cookie-params.php

what about the $_SERVER variables PHP_AUTH_USR, etc.?  Are these not used for server authentication?

thank you! putting the images above the root directory seems the best approach.  I'll try it out. But another related question. If I have a file or folder password protected on the server, i.e. via my web hosting utility, is there any way that I can authorize a user via PHP rather than have the username/password box popup?

instead of <=count($days), you should have <count($days)

bump

because the date/time functions are executed on the server side, they will be independent of the client's machine settings.  To always have eastern time, you need to find out the time zone of your server and adjust accordingly e.g.  date('h:i:s a', time()+3600); to add an hour to your server time.  

these values, ?prod_lvl1=7, etc. are called a query string.  These are created by submitting a form using the GET method.  So on your page, you'll see something like this to start your form: [code] <form name="myform" action="thispage.php" method="get"> [/code] dropdown boxes and radio buttons have values, the info that is acually sent, and text, the info that is seen on screen.  So for example, a radio button might look like [code] <input type="radio" name="radiogroup" value="5">the fifth choice<br> [/code] you could change the values to be the same as text, but spaces are not allowed when using the GET method.  Also, your page is set up to receive the numbers, not the text, and everything would have to be rewritten changing all the code that checks for numbers to check for text. You could change the method to POST, and there won't be any ?'s after the URL.  You'd then need to change all the $_GET's to $_POST's on the receiving end.  Finally, since your form must contain all the possible options for these submitted fields, the user has access to all this information, and whether it is a code or a label shouldn't really affect the security of the site.  Unless of course, someone has already found a way to get into your database and manipulate data.  If that's the case, well you've already got another problem.

that must be it see http://us2.php.net/manual/en/ref.session.php#ini.session.cookie-lifetime

logouts work, but you cannot rely on users to logout and you still have the problem of what to do when a browser is closed without logging out. sessions should be lost when the browser is closed, although they do persist on the server until automatic cleanup gets rid of them.  They can only be reaccessed if there is some memory of the session id, say in a cookie, and specific code to reopen the session. how are the sessions being started? try creating a session variable with some value, close your browser, reopen it and see if the stored value is also retained.  

without knowing the requirements of PayPal, I can't tell you exactly how this should be set up, but I can see that there are some problems with the organization of your code blocks.  everything from [code]$title = $row['title']; $id = $row['id']; $price = $row['price']; foreach ($contents as $id=>$qty) { for ($i = 0; $i < 10; $i++) { [/code] on should go in the first foreach block, probably after [code] $total += $row['price'] * $qty; [/code] and the foreach ($contents as $id=>$qty) should be omitted and the code within placed there I can't understand why the for ($i = 0; $i < 10; $i++)  loop is there.  It doesn't seem to serve any purpose.  You already have a hidden input for the quantity, so there really isn't any reason to change the i<10 to i<$qty Also, some of the hidden fields do not have unique names, e.g. [code] <input type="hidden" name="upload" value="'.$i.'"> [/code] and sending multiple inputs with the same name can create problems. Finally, if there is to be one button to submit all items for payment, there should only be one form block, and the beginning and end should be before and after all the other code.

your missing a '}' here - [code]   if ($password != $passcheck)   {       throw new Exception('The passwords you entered do not match.'); [/code]

When a .php file contains <?PHP ?> tags, it knows to execute the code within at the location where it is placed. 

correction, try try header("Location:http://www.yourdomain.com/closed/index.php"); instead.

I can see a couple of possible problems here. First, you don't have 'admin' and 'y' in quotations in your conditionals. Second, I'm not sure that - echo '<meta http-equiv="REFRESH" content="0;URL=closed/index.php">'; -will result in a redirect (if it does, I've learned something new-thanks).  You might try header("Location:yourdomain.com/closed/index.php"); instead.

perhaps your server is not set up to use ASP style tags.  Try [code] //if($logged[username] && $logged[level] ==$team) //{ ?> <center>Welcome <b><?PHP echo $logged[username];?></b></center><br /><br /> <?PHP echo $menu;?><br /><br /> [/code] Also, I don't understand the following lines of your code: [code] menu = <<<INCLUDES $addprofile, $manageprofile, $newsform, $logout; [/code] Perhaps <<<INCLUDES is something with which I am not familiar, or it's just your notation.

I am not at all familiar with this construct.

Sorry, I didn't read the question as carefully as I should have.  Yes, WHERE >=9 AND <=10 is the correct clause.

SELECT * FROM games WHERE score>8 and score<11

Yes, I can password protect the directory, but I want to be able to authenticate users via PHP.  I don't want to have to go to my hosting utilities and add information for each username/password.  I want to use a single username/password and have PHP do the authentication for users that have already been authenticated via PHP?MySQL.  Put another way, once users have logged into my site, I don't want them to again have to enter a username and password for the folder password protection.

you have $invitearrary instead of $invitearray on the line     $sizearray = count($invitearrary);

Yes, but what if someone guesses the name of one of my images, which is actually a realistic possibility.  The website I created is for a real estate company.  Some of the photos are displayed on the public website, others are not.  The photos are all named in the same way, e.g. floorplan_00023, so anyone could try different versions of that and access all the photos.  I could just put all the private photos in a password protected folder, but there are other situations in which this will not do.  Unless of course, there was a way to have the authentication done via PHP.

That really makes no sense.  Do you have display_errors set to display errors?  Perhaps you don't and the problem is that you're using the wrong filename path? So far, and aside from the problem you wrote about, how do you like using the Mac compared to the PC?

I have a site that allows access to registered users only with authentication via PHP/MySQl.  It works just fine, and only authorized users can access the site beyond the login page; however, anyone can easily access images on the site, provided they know the names of the images, by navigating to the address of the images.  How can I protect the images on this site from public access?

it may be that you're missing semicolons.  Try: [code] <center>Welcome <b><?=$logged[username];?></b></center><br /><br /> <?=$menu;?><br /><br /> [/code]